Paul wrote: > Eli wrote:
> >I have a feeling Exim is just fine, and instead what you are
> all seeing is the result of a recent series of server hacks?
> >
> I doubt that: I'm quite sure that we're not dealing with a
> hacked server here, and I just noticed the entries in my logs as well.
Server doesn't have to be "hacked" to be compromised. As stated, the phpBB
and AWStats exploits can leave no traces except what is in your web server
log entries. I know, I've got servers that have been hit by these exploits.
In either case, I did a grep of one of my mail server logs to see if it had
any entries similar to yours and I found nothing. So, my initial idea of
some other servers sending out their info is probably not valid (chances of
my systems having entries should be fairly high from hosting 50000+ users).
This doesn't seem to look like the work of a leaked file descriptor though.
I would expect random behaviour in that - targetting those files sounds a
bit too fishy. I don't even think Exim opens those files directly in a
standard situation, does it? Unless you have lookups set to query those
files, I thought any user lookups were done via system calls, not directly
querying the files? That's pure speculation - I haven't checked source code
to be sure or not.
> I just found the remote IP in sorbs btw, so I also assume
> it's no legitimate user.
Do the other services the system offers have logs as well? Cross reference
that IP with all your other system logs and see what you turn up.
